Re: Debian PHP upgrade

To: Philip Hands <phil@hands.com>, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Gareth Webb <gwebb@Acceleration.biz>, Ondřej Surý <ondrej@sury.org>, Salvatore Bonaccorso <carnil@debian.org>, "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Re: Debian PHP upgrade
From: Andile Ntebe <ANtebe@Acceleration.biz>
Date: Tue, 31 Mar 2015 12:41:02 +0000
Message-id: <[🔎] 231A5CB4-4B85-40FE-8253-93248CE411EA@acceleration.biz>
In-reply-to: <[🔎] 87lhilqhgs.fsf@hands.com>
References: <[🔎] AM3PR06MB1187A1054F30FFBCE18041DED20D0@AM3PR06MB1187.eurprd06.prod.outlook.com> <[🔎] 20150323075942.GA29714@lorien.valinor.li> <[🔎] 1427211878.4170159.244603634.39FB1A34@webmail.messagingengine.com> <[🔎] AM3PR06MB1187B5494B1196C3C4126C3DD20B0@AM3PR06MB1187.eurprd06.prod.outlook.com> <[🔎] b6c9b41536487ba6807a2a9949f3e66d@mowgli.jungle.funky-badger.org> <[🔎] 77F52449-5915-41CD-88C2-B52A79BE96AC@acceleration.biz> <[🔎] 2095e7c6881ef0fac1aa48cb396f4ba0@mowgli.jungle.funky-badger.org> <[🔎] 26CB39B0-70E1-487F-988C-07AF6B0A384E@acceleration.biz> <[🔎] 87lhilqhgs.fsf@hands.com>

Hi Philip

Thank you very much for your response.

Regards




On 2015/03/25, 4:28 PM, "Philip Hands" <phil@hands.com> wrote:

>Andile Ntebe <ANtebe@Acceleration.biz> writes:
>
>> Hi
>>
>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>>
>> The below vulnerabilities seem to affect this version:
>
>You seem not to have noticed that Debian fixes security issues in stable
>versions of our packages, so you're comparing the version that Apache
>would tell you is vulnerable without noticing the faxes that have been
>applied since then by the Debian security team.
>
>I suggest that you take your list of CVEs and see if any of them are not
>mentioned as having been fixed in the Debian changelog:
>
>  http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog
>
>(I'm guessing that if you've been upgrading as hard as you can, and
>still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
>/etc/debian_version where you should see "7.8")
>
>Anyway, you need to note that the Debian version of Apache that you are
>running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
>version of the package that's been built by the package maintainer, many
>of which added fixed for CVEs, taking us to version 2.2.22-13, followed
>by four more uploads that backport fixes to Debian 7  (deb7u1..deb7u4)
>each of which adds more CVE fixes.
>
>Upgrading to the latest version of something to fix security bugs
>carries with it the potential to introduce new unexpected behaviours,
>and that may result in things breaking, which is why we backport
>security fixes instead of just asking everyone to upgrade and hoping for
>the best.
>
>...
>> Is there a way for us to update to the latest version?
>
>There certainly is -- you can choose to run our testing or unstable
>branches, rather than stable, but hopefully now you know why you should
>not be fretting about this.
>
>Cheers, Phil.
>--
>|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
>|-|  http://www.hands.com/    http://ftp.uk.debian.org/
>|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Reply to:

References:
- Debian PHP upgrade
  - From: Gareth Webb <gwebb@Acceleration.biz>
- Re: Debian PHP upgrade
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Debian PHP upgrade
  - From: Ondřej Surý <ondrej@sury.org>
- RE: Debian PHP upgrade
  - From: Gareth Webb <gwebb@Acceleration.biz>
- RE: Debian PHP upgrade
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Debian PHP upgrade
  - From: Andile Ntebe <ANtebe@Acceleration.biz>
- Re: Debian PHP upgrade
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Debian PHP upgrade
  - From: Andile Ntebe <ANtebe@Acceleration.biz>
- Re: Debian PHP upgrade
  - From: Philip Hands <phil@hands.com>

Prev by Date: Re: Debian PHP upgrade
Next by Date: Re: aptitude has Priority: standard, why?
Previous by thread: Re: Debian PHP upgrade
Next by thread: Re: Debian PHP upgrade
Index(es):
- Date
- Thread